Security model

• connect-src allowlist — uploaded scripts can use network APIs only for Wikipedia, Wikimedia, YouTube, https://i.ytimg.com, and Google Fonts.
• img-src allows self/data/blob images plus Wikimedia and https://i.ytimg.com thumbnails. No other external image hosts are permitted.
• media-src allows self/data/blob media plus Wikimedia. No other external media hosts are permitted.
• style-src allows inline/self styles plus https://fonts.googleapis.com/css. No other external stylesheet hosts are permitted.
• font-src allows self/data fonts plus https://fonts.gstatic.com. No other external font hosts are permitted.
• form-action 'none' — fake login forms have nowhere to submit.
• frame-ancestors locked to Shipslides — decks cannot be embedded by arbitrary sites pretending to be us.
• iframe sandbox — no allow-same-origin, no top-frame nav, no popups, no modal dialogs.

Decks can fetch public content from Wikipedia, Wikimedia, selected YouTube origins, YouTube thumbnails, and the Google Fonts CSS/font endpoints. They can also embed videos from YouTube via the standard https://www.youtube.com/embed/<id> (or https://www.youtube-nocookie.com/embed/<id>) iframe URL. No other third-party network or iframe hosts are permitted; every addition to this allowlist gets a security review.

• CPU usage by the deck (you can close the tab).
• JS-API fingerprinting — but with no network egress, the deck cannot transmit fingerprints.
• Visual phishing inside the iframe — mitigated by clear app-level chrome around the deck.

• Paste JS/CSS inline. Images can be data URIs already, or you can let Shipslides download absolute image URLs and store them as data URIs during upload.
• Don't paste API keys or secrets — your deck is publicly readable. We scan for common token patterns and warn before publishing.
• Save your claim token after upload. It is the only way to take a deck down.

Found a deck that violates our rules? Email abuse@shipslides.com with the deck URL. We aim to respond within 24 hours.